May 5, 2014 at 15:00PKI (Public Key Infrastructure) using JavaScript? Now it is possible with PKIjs and ASN1js libraries
I present to you two libraries that implement almost the full range of required functionality for organizing PKI infrastructure: PKIjs and the auxiliary library ASN1js. Libraries are freely available and distributed under license, allowing their code to be used without special restrictions, even in commercial products. The full code for these libraries is available on GitHub: PKIjs + ASN1js .
In order to attract readers directly in the introduction, I will give a short list of features of the above libraries:
More information about libraries and what can be done with their help.
ASN1js library is an ASN.1 BER data encoder / decoder (Basic Encoding Rules), that is, it automatically allows you to work also with DER and CER rule sets. In addition to encoding / decoding data, the library also allows you to create easy-to-understand schemes of ASN.1 objects, as well as further compare decoded ASN.1 BER data with previously made schemes.
I will list a set of features of this library:
There are many examples for the library (see GitHub). In addition, another designed library, PKIjs, may be the biggest “example” of using the ASN1js library.
This library was originally conceived as the basis for creating a full-fledged structure of PKI solutions, from the simplest to the most complex. It should be convenient for the user to work with it, data should be easily accessible and easily modifiable. The library has more than 50 different “helpers” for working with all the necessary PKI related structures (like GeneralName, various types of X.509 certificate extensions, and much more). The library has a multilayer structure and can easily be modified and supplemented. In GitHub, you can see the current development plans for this library in the Issues section.
I will list a set of features of this library:
And now a little of what is possible to create using PKIjs + ASN1js:
For questions on these libraries, you can contact me directly as an author. Once again, I recall the repositories for these libraries: ASN1js and PKIjs . Open to all comments and suggestions.
PS: Adding from 05/07/2014 - I forgot to add information on CMS Signed Data + CSM Enveloped Data, fixed it.
In order to attract readers directly in the introduction, I will give a short list of features of the above libraries:
- Object Oriented Code
- Work with HTML5 (ArrayBuffer, Promises, WebCrypto (using “dev nightly build” by Google Chrome);
- The ability to create, verify, receive internal data, change data for the following objects:
- X.509 Certificates
- Review Lists (CRLs) X.509
- Certificate Requests (PKCS # 10)
- OCSP requests;
- OCSP server responses
- Time-stamping (TSP) requests
- TSP server responses
- CMS Signed Data
- CMS Enveloped Data
- Implementing your own "certificate chain validation engine" in JavaScript;
- … And much more! Look under the cut!
More information about libraries and what can be done with their help.
ASN1js
ASN1js library is an ASN.1 BER data encoder / decoder (Basic Encoding Rules), that is, it automatically allows you to work also with DER and CER rule sets. In addition to encoding / decoding data, the library also allows you to create easy-to-understand schemes of ASN.1 objects, as well as further compare decoded ASN.1 BER data with previously made schemes.
I will list a set of features of this library:
- Fully object-oriented code, continuous use of inheritance capabilities;
- Working with objects from the HTML5 standard (ArrayBuffer)
- Work with all data types ASN.1: 2008
- All data types from this library store information about all sub-blocks: identification sub-block (tag), sub-block of length (length) and sub-block of value (value);
- The user at any time can access any single byte from any sub-block;
- All subunits can be of unlimited length, as described in the standard (even the identification subunit);
- Full-fledged work with all ASN.1 string data types, including types that work with international strings: UniversalString, BMPString, UTF8String. A standard string from JavaScript can be used as input to the constructor of any ASN.1 string type. The reverse is also true - when decoding any string data type ASN.1, decoding to a standard JavaScript string automatically occurs (stored as an object field);
- The same is true for ASN.1 data types of the "date-time" type. For the main data types (UTCTime and GeneralizedTime), it is possible to initialize a Date object using ordinary JavaScript. The reverse transformation is also true - when decoding, the values of these types are automatically decoded in JavaScript with the “Date” type;
- Work with easy-to-understand ASN.1 circuits;
- The library provides the following special types for working with ASN.1 schemes:
- ANY
- CHOICE
- REPEATED
- The user can create named blocks inside the ASN.1 schema and later receive the necessary ASN.1 data by name;
- All types inside the library are dynamic;
- All types of libraries can be initialized both dynamically and by passing static data to the constructor;
There are many examples for the library (see GitHub). In addition, another designed library, PKIjs, may be the biggest “example” of using the ASN1js library.
PKIjs
This library was originally conceived as the basis for creating a full-fledged structure of PKI solutions, from the simplest to the most complex. It should be convenient for the user to work with it, data should be easily accessible and easily modifiable. The library has more than 50 different “helpers” for working with all the necessary PKI related structures (like GeneralName, various types of X.509 certificate extensions, and much more). The library has a multilayer structure and can easily be modified and supplemented. In GitHub, you can see the current development plans for this library in the Issues section.
I will list a set of features of this library:
- Fully Object Oriented Code
- Work with data types from the latest standards (ArrayBuffer, Promises, WebCrypto (uses the latest Google Chrome night build));
- It has a complete set of objects for working with auxiliary types, such as:
- GeneralName
- RelativeDistinguishedName;
- Time
- AlgorithmIdentifier;
- All standard types of X.509 certificate extensions;
- All auxiliary objects for working with OCSP requests and responses;
- All auxiliary objects for work with Time-stamping protocol (TSP);
- Implemented its own function of checking the certificate path (certificate chain engine) entirely in JavaScript, using Promises and WebCrypto;
- Implemented work with all the main data types related to PKI:
- X.509 Certificates
- Getting information about all fields of the certificate, including nested ones;
- Creation and modification of any internal structures;
- Ability to create a certificate from scratch;
- Built-in "certification chain validation engine";
- Certificate Revocation Lists (CRLs) X.509
- Getting information about all fields of the structure, including nested ones;
- Creation and modification of any internal structures;
- Ability to create CRL "from scratch";
- The ability to verify the validity of the digital signature CRL;
- Built-in search function of the certificate of entry into the CRL;
- PKCS # 10 Certificate Requests
- Getting information about all fields of the structure, including nested ones;
- Creation and modification of any internal structures;
- Ability to create PKCS # 10 "from scratch";
- Ability to verify the correctness of the digital signature PKCS # 10;
- OCSP requests
- Getting information about all fields of the structure, including nested ones;
- Creation and modification of any internal structures;
- Ability to create an OCSP request from scratch;
- OCSP server responses
- Getting information about all fields of the structure, including nested ones;
- Creation and modification of any internal structures;
- Ability to create an OCSP server response from scratch;
- The ability to verify the digital signature of the response of the OCSP server;
- Time-stamping protocol (TSP) requests
- Getting information about all fields of the structure, including nested ones;
- Creation and modification of any internal structures;
- Ability to create a TSP request from scratch;
- The ability to verify the correctness of the digital signature of the TSP request;
- TSP server responses
- Getting information about all fields of the structure, including nested ones;
- Creation and modification of any internal structures;
- Ability to create a response TSP server "from scratch";
- The ability to verify the digital signature of the response of the TSP server;
- CMS Signed Data
- Getting information about all fields of the structure, including nested ones;
- Creation and modification of any internal structures;
- Ability to create CMS Signed Data "from scratch";
- The ability to verify the correctness of the digital signature CMS Signed Data;
- CMS Enveloped Data
- Getting information about all fields of the structure, including nested ones;
- Creation and modification of any internal structures;
- The ability to create CMS Enveloped Data and key management is planned for development in the near future;
- X.509 Certificates
And now a little of what is possible to create using PKIjs + ASN1js:
- Certification Authority entirely in JavaScript;
- OCSP server fully in JavaScript;
- TSP server entirely in JavaScript;
- Clients of OCSP and TSP servers are completely in JavaScript;
- "Cryptographic workbench" like "CryptoARM" completely in JavaScript;
- Tools for working with S / MIME;
- Library for working with CAdES;
- Various libraries of support for working with digital signatures in documents on Web pages;
- And much more!
For questions on these libraries, you can contact me directly as an author. Once again, I recall the repositories for these libraries: ASN1js and PKIjs . Open to all comments and suggestions.
PS: Adding from 05/07/2014 - I forgot to add information on CMS Signed Data + CSM Enveloped Data, fixed it.